application/test/tests/api_v2/test_api_permissions.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

<?php
/*
 * Copyright 2015-2016 Florian "Bluewind" Pritz <bluewind@server-speed.net>
 *
 * Licensed under AGPLv3
 * (see COPYING for full license text)
 *
 */

namespace test\tests\api_v2;

class test_api_permissions extends common {

	public function __construct()
	{
		parent::__construct();
		$this->startServer(23200);
		$this->userCounter = 100;
	}

	public function test_callPrivateEndpointsWithoutApikey()
	{
		$endpoints = array(
			"file/upload",
			"file/history",
			"file/delete",
			"file/create_multipaste",
			"user/apikeys",
			"user/create_apikey",
			"user/delete_apikey",
		);
		foreach ($endpoints as $endpoint) {
			$ret = $this->CallEndpoint("POST", $endpoint, array(
			));
			$this->expectError("call $endpoint without apikey", $ret);
			$this->t->is_deeply(array(
				'status' => 'error',
				'error_id' => 'api/not-authenticated',
				'message' => 'Not authenticated. FileBin requires you to have an account, please go to the homepage at http://127.0.0.1:23200/ for more information.',
			   ), $ret, "expected error");
		}
	}

	public function test_callPrivateEndpointsWithUnsupportedAuthentication()
	{
		$endpoints = array(
			"file/upload",
			"file/history",
			"file/delete",
			"file/create_multipaste",
			"user/apikeys",
			// create_apikey is the only one that supports username/pw
			//"user/create_apikey",
			"user/delete_apikey",
		);
		foreach ($endpoints as $endpoint) {
			$ret = $this->CallEndpoint("POST", $endpoint, array(
				"username" => "apiv2testuser1",
				"password" => "testpass1",
			));
			$this->expectError("call $endpoint without apikey", $ret);
			$this->t->is_deeply(array(
				'status' => 'error',
				'error_id' => 'api/not-authenticated',
				'message' => 'Not authenticated. FileBin requires you to have an account, please go to the homepage at http://127.0.0.1:23200/ for more information.',
			   ), $ret, "expected error");
		}
	}

	public function test_callEndpointsWithoutEnoughPermissions()
	{
		$testconfig = array(
			array(
				"have_level" => "basic",
				"wanted_level" => "apikey",
				"apikey" => $this->createUserAndApikey('basic'),
				"endpoints" => array(
					"file/delete",
					"file/history",
				),
			),
			array(
				"have_level" => "apikey",
				"wanted_level" => "full",
				"apikey" => $this->createUserAndApikey(),
				"endpoints" => array(
					"user/apikeys",
					"user/create_apikey",
					"user/delete_apikey",
				),
			),
		);
		foreach ($testconfig as $test) {
			foreach ($test['endpoints'] as $endpoint) {
				$ret = $this->CallEndpoint("POST", $endpoint, array(
					"apikey" => $test['apikey'],
				));
				$this->expectError("call $endpoint without enough permissions", $ret);
				$this->t->is_deeply(array(
					'status' => "error",
					'error_id' => "api/insufficient-permissions",
					'message' => "Access denied: Access level too low. Required: ${test['wanted_level']}; Have: ${test['have_level']}",
				   ), $ret, "expected permission error");
			}
		}
	}

}